MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27e842c3102b6ee4f1e48233732903ae6a3a2bcbbe65a18857f3c34455364f55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27e842c3102b6ee4f1e48233732903ae6a3a2bcbbe65a18857f3c34455364f55
SHA3-384 hash: 7909b59f35b6df3c071e224cf1fc9d574953ca11a4d78a66d31ce109097434cc0e730219fe3e6e1d0607e802de4ed245
SHA1 hash: 3d1f660cf46430abc6e53fcbd4530bf04806ed4d
MD5 hash: 9885eb66291aea0880b86051389cfbb8
humanhash: zulu-georgia-fanta-harry
File name:DHL_AWB_NO_#907853880911.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'003'607 bytes
First seen:2023-03-08 21:06:39 UTC
Last seen:2023-03-08 22:39:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep 24576:NyFWaRBd2EFfUS8iPx5C7eG+WYf037z5F:Nd6f58gx54eG+WiazP
Threatray 324 similar samples on MalwareBazaar
TLSH T19425114D69A0D70BE35445717AD1A05ACD30BDACFC24895ABF937B1AA53030186FBE3E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_AWB_NO_#907853880911.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 21:22:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aee87471-9385-405a-97f5-deea7735c630

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372771/
Detection(s):
SecuriteInfo.com.Variant.Tedy.309148.15949.9680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Searching for the window
Sending a custom TCP request
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6408f8face680ea731cc532a/reports/d784dfe9-10d0-403b-9411-a0839023e808/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/27e842c3102b6ee4f1e48233732903ae6a3a2bcbbe65a18857f3c34455364f55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6fd71cdf-b4ff-48a1-93f4-ef4b061bdff0
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189818
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27e842c3102b6ee4f1e48233732903ae6a3a2bcbbe65a18857f3c34455364f55/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 14:11:44 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7uefqyqfnxoj4peqizxgkidvzvduk6lxzs2dccx6pbuivjwj5kq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
10a21f1899dd0e83ead2011c4638017bc4723a06be0c2058a9f3214da4974a8d
GuLoader
1a090934724f507a62abdf0d9b07f477cc504d50b469f52797df17fc8739549a
GuLoader
29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
GuLoader
334911b248ad837e24303037e3733e61b119998dc1e1ce8bf7a444754a4cda01
GuLoader
472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
GuLoader
89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
GuLoader
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
GuLoader
d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
GuLoader
eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195
GuLoader
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230308-zyc4hsga9t/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/fe735b38-575c-4759-9640-496e21fe97f5/
SH256 hash:
27e842c3102b6ee4f1e48233732903ae6a3a2bcbbe65a18857f3c34455364f55
MD5 hash:
9885eb66291aea0880b86051389cfbb8
SHA1 hash:
3d1f660cf46430abc6e53fcbd4530bf04806ed4d
Link:
https://www.unpac.me/results/fe735b38-575c-4759-9640-496e21fe97f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/27e842c3102b6ee4f1e48233732903ae6a3a2bcbbe65a18857f3c34455364f55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372771/

Comments